src/Security/Voter/SortingSessionVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Project;
  7. use MedBrief\MSR\Entity\SortingSession;
  8. use MedBrief\MSR\Entity\User;
  9. use MedBrief\MSR\Traits\Security\Authorization\Voter\ClientSortingSessionTrait;
  10. use Override;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. class SortingSessionVoter implements VoterInterface
  17. {
  18. use ClientSortingSessionTrait;
  20. public const CREATE = 'CREATE';
  21. public const READ = 'READ';
  22. public const UPDATE = 'UPDATE';
  23. public const UPDATE_SIMPLE = 'UPDATE_SIMPLE';
  24. public const DELETE = 'DELETE';
  25. public const ADMINISTRATION = 'ADMINISTRATION';
  26. public const SEND_TO_SORTER = 'SEND_TO_SORTER';
  27. public const DOWNLOAD = 'DOWNLOAD';
  28. public const SORT = 'SORT';
  29. public const LIST_MEMO = 'LIST_MEMO';
  30. public const PREVIEW_MEMO = 'PREVIEW_MEMO';
  31. public const EDIT_MEMO_NOTES = 'EDIT_MEMO_NOTES';
  32. public const CREATE_MEMO = 'CREATE_MEMO';
  33. public const PUSH_UNSORTED = 'PUSH_UNSORTED';
  34. public const UNLOCK_SORT = 'UNLOCK_SORT';
  35. public const MORE_OPTIONS = 'MORE_OPTIONS';
  36. public const NOTE_ADMINISTRATION = 'NOTE_ADMINISTRATION';
  37. public const PREVIEW_INDEX = 'PREVIEW_INDEX';
  38. public const UPDATE_CENTRE = 'UPDATE_CENTRE';
  39. public const MANAGE_RESTORE_POINT = 'MANAGE_RESTORE_POINT';
  40. public const CANCEL_PREPROCESSING = 'CANCEL_PREPROCESSING';
  41. public const RESUBMIT_PREPROCESSING = 'RESUBMIT_PREPROCESSING';
  43. public function __construct(private AuthorizationCheckerInterface $authorizationChecker)
  44. {
  45. }
  47. public function supportsAttribute($attribute): bool
  48. {
  49. return in_array($attribute, [
  50. self::CREATE,
  51. self::READ,
  52. self::UPDATE,
  53. self::UPDATE_SIMPLE,
  54. self::DELETE,
  55. self::ADMINISTRATION,
  56. self::SEND_TO_SORTER,
  57. self::DOWNLOAD,
  58. self::SORT,
  59. self::LIST_MEMO,
  60. self::PREVIEW_MEMO,
  61. self::EDIT_MEMO_NOTES,
  62. self::CREATE_MEMO,
  63. self::PUSH_UNSORTED,
  64. self::UNLOCK_SORT,
  65. self::MORE_OPTIONS,
  66. self::NOTE_ADMINISTRATION,
  67. self::PREVIEW_INDEX,
  68. self::UPDATE_CENTRE,
  69. self::MANAGE_RESTORE_POINT,
  70. self::CANCEL_PREPROCESSING,
  71. self::RESUBMIT_PREPROCESSING,
  72. ]);
  73. }
  75. public function supportsClass($class): bool
  76. {
  77. $supportedClass = SortingSession::class;
  79. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  80. }
  82. /**
  83. *
  84. * @param mixed $entity
  85. */
  86. #[Override]
  87. public function vote(TokenInterface $token, $entity, array $attributes)
  88. {
  89. /**
  90. * START: This is common code for all Voter::vote() methods
  91. */
  92. // check if class of this object is supported by this voter
  93. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  94. return VoterInterface::ACCESS_ABSTAIN;
  95. }
  97. // check if the voter is used correct, only allow one attribute
  98. // this isn't a requirement, it's just one easy way for you to
  99. // design your voter
  100. if (1 !== count($attributes)) {
  101. throw new InvalidArgumentException(
  102. 'Only one attribute is allowed for Medbrief Voters.'
  103. );
  104. }
  106. // set the attribute to check against
  107. $attribute = $attributes[0];
  109. // check if the given attribute is covered by this voter
  110. if (!$this->supportsAttribute($attribute)) {
  111. return VoterInterface::ACCESS_ABSTAIN;
  112. }
  114. /** @var SortingSession $sortingSession */
  115. $sortingSession = $entity;
  117. // Grab Project this SortingSession belongs to, so we can do permission checks at the Project level.
  118. $project = $sortingSession->getProject();
  120. // get current logged in user
  121. /** @var User $user */
  122. $user = $token->getUser();
  124. // make sure there is a user object (i.e. that the user is logged in)
  125. if (!$user instanceof UserInterface) {
  126. return VoterInterface::ACCESS_DENIED;
  127. }
  129. // Deny deletion of a sorting session to everyone except super admins
  130. if ($attribute === self::DELETE && $this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  131. return VoterInterface::ACCESS_GRANTED;
  132. }
  134. // Deny updating of sorting session/batchrequest centre to everyone except SuperAdmins
  135. if ($attribute === self::UPDATE_CENTRE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  136. return VoterInterface::ACCESS_DENIED;
  137. }
  139. // Admin users can do everything, except sort a sorting session, this is strictly controlled to the attached user.
  140. if ($attribute !== self::SORT && $this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  141. return VoterInterface::ACCESS_GRANTED;
  142. }
  143. /**
  144. * END: Common code for all Voter:vote() methods. Put custom logic below.
  145. */
  146. if ($attribute === self::SORT) {
  147. // Grant currently assigned sorter access
  148. // This applies to both medbrief and client sorting sessions
  149. if ($entity->getRelevantUserAssigned() === $user) {
  150. return VoterInterface::ACCESS_GRANTED;
  151. }
  153. // If external editing is allowed (via the embedded DocSorter), allow all internal user types to edit all sorting sessions.
  154. if ($entity->allowExternalEditing($user) && $user->isUserTypeInternal()) {
  155. return VoterInterface::ACCESS_GRANTED;
  156. }
  157. }
  159. $clientSessionAccess = [
  160. self::READ,
  161. self::SEND_TO_SORTER,
  162. self::DOWNLOAD,
  163. self::DELETE,
  164. self::UPDATE_SIMPLE,
  165. self::NOTE_ADMINISTRATION,
  166. self::LIST_MEMO,
  167. self::PREVIEW_MEMO,
  168. self::EDIT_MEMO_NOTES,
  169. self::CREATE_MEMO,
  170. self::PREVIEW_INDEX,
  171. ];
  172. // if user is client, grant permission to export, send-to-sorter when that client has DocSorter access and client is administrator for Account
  173. // For the self::SORT permission, the sorting session needs to be externally editable to allow sorting. The allowedExternLEditing function encapsulates the logic for this.
  174. if ((in_array($attribute, $clientSessionAccess) || $attribute === self::SORT && $entity->allowExternalEditing($user)) && $this->hasClientSessionAccess($project, $user, $sortingSession)) {
  175. return VoterInterface::ACCESS_GRANTED;
  176. ;
  177. }
  179. // If we get to the end of this function, then no decisions have been
  180. // made so we deny access
  181. return VoterInterface::ACCESS_DENIED;
  182. }
  183. }